CN113872965B - SQL injection detection method based on Snort engine - Google Patents

SQL injection detection method based on Snort engine Download PDF

Info

Publication number
CN113872965B
CN113872965B CN202111131110.8A CN202111131110A CN113872965B CN 113872965 B CN113872965 B CN 113872965B CN 202111131110 A CN202111131110 A CN 202111131110A CN 113872965 B CN113872965 B CN 113872965B
Authority
CN
China
Prior art keywords
rule
sql injection
injection detection
initial
data set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111131110.8A
Other languages
Chinese (zh)
Other versions
CN113872965A (en
Inventor
刘春�
张凌浩
王豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Leshan Power Supply Co Of State Grid Sichuan Electric Power Co
Original Assignee
Leshan Power Supply Co Of State Grid Sichuan Electric Power Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Leshan Power Supply Co Of State Grid Sichuan Electric Power Co filed Critical Leshan Power Supply Co Of State Grid Sichuan Electric Power Co
Priority to CN202111131110.8A priority Critical patent/CN113872965B/en
Publication of CN113872965A publication Critical patent/CN113872965A/en
Application granted granted Critical
Publication of CN113872965B publication Critical patent/CN113872965B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an SQL injection detection method based on a Snort engine, which comprises the following steps: generating a suspected traffic static data packet, a normal traffic static data packet and a malicious traffic static data packet of the server; configuring an initial SQL injection detection rule in a Snort engine; the normal flow static data packet and the malicious flow static data packet are respectively subjected to rule hit by utilizing an initial SQL injection detection rule; modifying the initial SQL injection detection rule according to the rule hit result to generate a retest SQL injection detection rule, and reconfiguring in the Snort engine by using the retest SQL injection detection rule; and carrying out rule hit on the suspected flow static data packet by using a retest SQL injection detection rule, recording corresponding alarm data, completing injection detection, and reducing the false alarm rate and the false alarm rate of the detection rule by pre-detecting and modifying the initial SQL injection rule, thereby improving the detection efficiency of the engine.

Description

SQL injection detection method based on Snort engine
Technical Field
The invention relates to the field of network security, in particular to an SQL injection detection method based on a Snort engine.
Background
The SQL injection means that the validity of the data input by the user is not judged or filtered seriously by the web application, an attacker can add additional SQL sentences on the end of query sentences defined in advance in the web application, and illegal operation is realized under the condition that an administrator does not know, so that the database server can be deceived to execute unauthorized random query, the attacker acquires the library name, the table name and the field name of the server through SQL injection, thereby acquiring the data in the whole server, and having great threat to the data security of the website user. The attacker can also obtain the password of the background manager through the obtained data, and then maliciously tamper the webpage. Therefore, serious threat is caused to the safety of database information, the safety of the whole database system is greatly influenced, the Sort engine is a detection engine which is widely used in the existing network safety detection engine due to the open source, but the detection efficiency is greatly influenced in the actual detection process due to the fact that SQL injection grammar patterns are various and the existing Snort engine is imperfect in initial SQL injection detection rules, so that a large number of false positives and false negatives exist in SQL injection detection.
Disclosure of Invention
The technical problem to be solved by the invention is how to improve SQL injection detection efficiency, and the invention provides an SQL injection detection method based on a Snort engine, which is characterized in that before the Snort engine is used for detecting suspected SQL injection flow, the initial SQL injection rule existing in the Snort engine is pre-detected through collected SQL injection malicious flow and service normal flow, the pre-detected initial SQL injection detection rule is modified and adjusted through an initial rule modification script, the false alarm rate and the false alarm rate of the initial SQL injection detection rule are reduced, and the SQL injection detection efficiency based on the Snort engine is improved.
The invention is realized by the following technical scheme:
a SQL injection detection method based on a Snort engine comprises the following steps:
s1, acquiring suspected SQL injection flow of a server and normal flow of server service, and respectively generating a suspected flow static pcap packet and a normal flow static pcap packet; generating SQL injection malicious traffic and generating a malicious traffic static pcap package by adopting a Burp Suite integration platform;
s2, configuring an initial SQL injection detection rule in the Snort engine; reading a normal flow static pcap packet and a malicious flow static pcap packet by utilizing a Snort engine configured with an initial SQL injection detection rule; performing rule hit on the normal flow static pcap package and the malicious flow static pcap package respectively by utilizing the initial SQL injection detection rule;
s3, modifying the initial SQL injection detection rule according to the rule hit result to generate a retest SQL injection detection rule, and reconfiguring in a Snort engine by using the retest SQL injection detection rule;
s4, reading the suspected flow static pcap package by utilizing the Snort engine configured with the retest SQL injection detection rule, performing rule hit on the suspected flow static pcap package by utilizing the retest SQL injection detection rule, and recording corresponding alarm data to finish SQL injection detection.
The Sort engine is a detection engine which is widely used in the existing network security detection engine, but because SQL injection grammar patterns are various, and the existing Snort engine is imperfect in initial SQL injection detection rules, a large number of false positives and false negatives exist in SQL injection detection, and detection efficiency is greatly affected in the actual detection process.
Further, the specific process of rule hit in step S2 is as follows:
s21, matching malicious traffic static pcap packets through initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a first matching data set;
s22, finding out an SQL injection detection rule of the non-triggered alarm in the first matched data set, generating a non-alarm data set, obtaining a missing report rate through the non-alarm data set, entering a step S25 if the missing report rate is greater than 0, and entering a step S23 if the missing report rate is 0;
s23, matching the normal flow static pcap pack according to the initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a second matched data set;
s24, finding out SQL injection detection rules for triggering alarms in the second matching data set, generating an alarm data set, obtaining false alarm rate through the alarm data set, and entering step S25 if the false alarm rate is greater than 0;
s25, constructing an initial rule modification script according to the SQL injection type, importing an unarmed data set into the initial rule modification script, performing data matching on the unarmed rule, adding a matching factor into the unarmed rule, and reducing the missing report rate in the subsequent retest; and importing the alarm rule data set into an initial rule modification script, performing data matching on the alarm rule, deleting or modifying matching factors in the alarm rule, and reducing false alarm rate in the follow-up retest, wherein the matching factors are Content fields in SQL injection detection rules, and the Content fields hit the Content of the pcap packet information through keywords, and Pcre fields hit the Content of the pcap packet information through regular expressions.
Further, the generating process of the alarm-free data set in S22 is as follows:
checking SQL injection detection rules sid of all triggered alarms by using related commands of the Snort engine network intrusion detection mode, and sorting SQL injection detection rules sid and related rule contents of the rest non-triggered alarms in the first matching data set to form a non-alarm data set; if the data content exists in the non-alarm data set, the non-alarm rule is modified in step S25.
Further, the process of generating the alarm data set in S24 is:
and checking the SQL injection detection rules sid of all triggered alarms by using related commands of the network intrusion detection mode of the Snort engine, de-duplicating the SQL injection detection rules sid of all triggered alarms, sorting the SQL injection detection rules sid and related rule contents of all triggered alarms in the second matched dataset to form an alarm dataset, and modifying the alarm rules through step S25 if the alarm dataset has data contents.
Further, the initial rule modification script in S25 is constructed by python, and the construction process is as follows:
s251, using re module regular matching, finding Content field Content and Pcre field Content in the initial SQL injection detection rule, and extracting to obtain initial rule Content;
s252, decoding URL content in the encoded static pcap package through a urllib module to obtain decoded content;
s253, obtaining an initial rule modification script according to initial rule contents and decoding contents, importing a non-alarm data set into the initial rule modification script, extracting rule contents in the non-alarm data set, and adding keywords to the initial rule contents according to malicious traffic, so that all SQL injection detection rules hit the malicious traffic;
s254, importing the alarm data set into an initial rule modification script, extracting rule contents in the alarm data set, and modifying or deleting keywords of the initial rule contents according to normal flow, so as to ensure that all SQL injection detection rules do not hit the normal flow.
Further, in the step S1, a Wireshark network packet capturing tool or a Tcpdump packet capturing tool of a Linux system is used for collecting the traffic of a server, generating a corresponding traffic static pcap packet, and storing the generated traffic static pcap packet into a Home folder of the Linux system.
Further, in step S1, SQL injection malicious traffic is generated through the SQL map plug-in of the Burp Suite integration platform.
Further, in step S2, an initial SQL injection detection rule is configured in the Snort engine, where the Snort engine is built in a Linux environment, and in the configuration process, a root directory of the SQL injection detection rule file needs to be written in the Snort configuration file.
Further, in the step S2, the Snort engine reads the normal traffic static pcap packet and the malicious traffic static pcap packet through the related command of the network intrusion detection mode.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention has the beneficial effects that:
1. the invention relates to an SQL injection detection method based on a Snort engine, which is characterized in that before a suspected SQL injection flow is detected by using the Snort engine, an initial SQL injection rule existing in the Snort engine is pre-detected through collected SQL injection malicious flow and service normal flow, the initial SQL injection detection rule after the pre-detection is modified and adjusted through an initial rule modification script, the missing report rate and the false report rate of the initial SQL injection detection rule are reduced, and the SQL injection detection efficiency based on the Snort engine is improved;
2. according to the SQL injection detection method based on the Snort engine, through detecting and alarming the suspected SQL injection data in the server request flow, other network tools are used for pre-testing the Snort engine before the Snort engine hits the rule of the suspected SQL injection data packet, and SQL injection detection rules based on different network protocol layers are used for reducing false alarm and missing alarm occurrence, so that the detection efficiency of the Snort engine is improved.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, the drawings that are needed in the examples will be briefly described below, it being understood that the following drawings only illustrate some examples of the present invention and therefore should not be considered as limiting the scope, and that other related drawings may be obtained from these drawings without inventive effort for a person skilled in the art. In the drawings:
FIG. 1 is a flow chart of a SQL injection detection method according to an embodiment of the invention.
Fig. 2 is a terminal device to which the SQL injection detection method is applied according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a computer storage medium according to an embodiment of the present invention.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
Example 1
Referring to fig. 1, an SQL injection detection method based on Snort engine includes the following steps:
s1, acquiring suspected SQL injection flow of a server and normal flow of server service, and respectively generating a suspected flow static pcap packet and a normal flow static pcap packet; the method comprises the steps that a Burp Suite integrated platform is adopted to generate SQL injection malicious traffic and generate a malicious traffic static pcap package, and the SQLmap plug-in of the Burp Suite integrated platform can be used to generate SQL injection malicious traffic during actual operation;
specifically, a Wireshark network packet capturing tool or a Tcpdump packet capturing tool of a Linux system is used for collecting traffic of a server, generating a corresponding traffic static pcap packet, and storing the generated traffic static pcap packet into a Home folder of the Linux system, wherein the Tcpdump hit parameter is' Tcpdump-An eth0 host ip-wtest.
S2, configuring an initial SQL injection detection rule in the Snort engine; reading a normal flow static pcap packet and a malicious flow static pcap packet by utilizing a Snort engine configured with an initial SQL injection detection rule; performing rule hit on the normal flow static pcap package and the malicious flow static pcap package respectively by utilizing the initial SQL injection detection rule;
setting up a Snort engine in a Linux environment, entering a configuration file of the Snort engine through a command of 'vim/Snort/etc/snort.conf', finding an include $RULE_PUTH\local. RULE, inputting the include $RULE_PUTH\sql.rule below the Snort engine, writing a root directory of an SQL RULE into the Snort configuration file, and reading related contents of a normal flow static pcap packet and a malicious flow static pcap packet by the Snort engine through related commands of a network intrusion detection mode, such as commands: "snort-pcap-dir="/home/foo/pcaps "reads the static pcap package.
Specifically, the specific procedure of the rule hit in S2 is:
s21, matching malicious traffic static pcap packets through initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a first matching data set;
s22, finding out an SQL injection detection rule of the non-triggered alarm in the first matched data set, generating a non-alarm data set, obtaining a missing report rate through the non-alarm data set, entering a step S25 if the missing report rate is greater than 0, and entering a step S23 if the missing report rate is 0;
specifically, the generation process of the non-alarm data set is as follows: checking SQL injection detection rules sid of all triggered alarms by using related commands of the Snort engine network intrusion detection mode, and sorting SQL injection detection rules sid and related rule contents of the rest non-triggered alarms in the first matching data set to form a non-alarm data set; if the data content exists in the non-alarm data set, modifying the non-alarm rule through step S25;
s23, matching the normal flow static pcap pack according to the initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a second matched data set;
s24, finding out SQL injection detection rules for triggering alarms in the second matching data set, generating an alarm data set, obtaining false alarm rate through the alarm data set, and entering step S25 if the false alarm rate is greater than 0;
specifically, the process of generating the alert data set is: checking all SQL injection detection rules sid of triggered alarms by using related commands of a network intrusion detection mode of the Snort engine, de-duplicating all SQL injection detection rules sid of triggered alarms, sorting all SQL injection detection rules sid of triggered alarms and related rule contents in a second matched dataset to form an alarm dataset, and modifying the alarm rules through step S25 if the alarm dataset has data contents;
s25, constructing an initial rule modification script according to the SQL injection type, importing an unarmed data set into the initial rule modification script, performing data matching on the unarmed rule in the initial SQL injection detection rule, adding a matching factor into the unarmed rule, and reducing the missing report rate in the subsequent retest; importing an alarm rule data set into an initial rule modification script, performing data matching on alarm rules in an initial SQL injection detection rule, deleting or modifying matching factors in the alarm rules, and reducing false alarm rate in subsequent retesting, wherein the matching factors are Content fields in the SQL injection detection rule hit pcap packet message contents through keywords, and Pcre fields hit pcap packet message contents through regular expressions; wherein, the alarm rule and the non-alarm rule both belong to SQL injection detection rules.
Because the SQL injection detection rule in the Snort engine is lengthy, the detection part of the SQL injection rule is extracted by using the initial rule modification script, wherein the deletable repeated part is a alert, msg, sid, nocase, ip address field, and the like, and specifically, the initial rule modification script in S25 is constructed by python, and the construction process is as follows:
s251, using re module regular matching, finding Content field Content and Pcre field Content in the initial SQL injection detection rule, and extracting to obtain initial rule Content;
s252, decoding URL content in the encoded static pcap package through a urllib module to obtain decoded content;
s253, obtaining an initial rule modification script according to initial rule contents and decoding contents, importing a non-alarm data set into the initial rule modification script, extracting rule contents in the non-alarm data set, and adding keywords to the initial rule contents according to malicious traffic, so that all SQL injection detection rules hit the malicious traffic;
s254, importing the alarm data set into an initial rule modification script, extracting rule contents in the alarm data set, and modifying or deleting keywords of the initial rule contents according to normal flow, so as to ensure that all SQL injection detection rules do not hit the normal flow, wherein a matching factor is that a Content field hits the Content of the pcap packet message through the keywords, and a Pcre field hits the Content of the pcap packet message through a regular expression.
S3, modifying the initial SQL injection detection rule according to the rule hit result to generate a retest SQL injection detection rule, and reconfiguring in a Snort engine by using the retest SQL injection detection rule;
s4, reading a suspected flow static pcap package by utilizing a Snort engine configured with a retest SQL injection detection rule, performing rule hit on the suspected flow static pcap package by utilizing the retest SQL injection detection rule, recording corresponding alarm data, completing SQL injection detection, and when the read suspected flow static pcap package is subjected to rule hit, if the suspected flow static pcap package hit rule, confirming that a server has SQL injection behaviors and safely processing the flow of the Snort engine intercepting hit rule, wherein the safety processing comprises: sealing and banning a user IP for SQL injection of the server, recording an SQL injection attack mode and increasing a server defense blacklist; and if the suspected flow static pcap packet misses the rule, confirming that the SQL injection behavior does not exist in the server, thereby completing the SQL detection process.
It will be appreciated that the initial SQL injection detection rules include rules for detecting the URL of the data packet, rules for detecting the header field of the data packet, and rules for detecting the data of the data packet; the Content field in the SQL injection detection rule hits the message Content of the data packet through the key words, the Pcre field hits the message Content of the data packet through the regular expression and carries out rule hit on the data traffic, and in the embodiment, all SQL injection detection rules in the Snort engine are pre-detected, and the false alarm rate and the missing report rate of the SQL injection detection rules are reduced through pre-detection, and then the suspected traffic is detected; if the malicious flow static pcap packet hits the rule when the rule hits, the network intrusion detection mode in the Snort engine is used for carrying out rule hit on the suspected flow static pcap packet and the normal flow static pcap packet in the server, if the malicious flow static pcap packet misses the rule, missing report is confirmed, and the configuration file is returned to check whether the SQL injection detection rule is wrong; if the normal flow static pcap packet hit rule exists, confirming that false alarm exists, returning a configuration file to check whether the SQL injection detection rule exists or not, if the normal flow static pcap packet miss rule exists, confirming that false alarm does not exist, then retesting the suspected flow static pcap packet by utilizing the modified SQL injection detection rule, if the suspected flow static pcap packet hit rule exists, confirming that the SQL injection behavior exists in a server and carrying out safety processing on the flow of the Snort engine intercepting hit rule, wherein the safety processing comprises the following steps: sealing and banning a user IP for SQL injection of the server, recording an SQL injection attack mode and increasing a server defense blacklist; and if the suspected flow static pcap packet misses the rule, confirming that the SQL injection behavior does not exist in the server.
Example 2
Based on embodiment 1, an optimization mode of an SQL injection detection method based on a Snort engine is provided.
Further, the optimization mode is as follows:
the SQL injection detection rule can use a threshold field to confirm the minimum threshold of the matching times of the data packet to reduce the false alarm rate, and use limit to limit the alarming times to reduce the false alarm rate; the Snort engine is connected with the big data feature library, and the SQL injection detection rule in the Snort configuration file is updated in time by the latest SQL injection attack means in the big data library, and the alarm information aiming at vulnerability on the protected server is referred to reduce the missing report rate and the false report rate;
example 3
As shown in fig. 2, the present embodiment proposes a terminal device of the method for detecting SQL injection based on Snort engine, and the terminal device 200 includes at least one memory 210, at least one processor 220, and a bus 230 connected to different platform systems.
Memory 210 may include readable media in the form of volatile memory, such as Random Access Memory (RAM) 211 and/or cache memory 212, and may further include Read Only Memory (ROM) 213.
The memory 210 further stores a computer program, where the computer program may be executed by the processor 220, so that the processor 220 executes any of the above-mentioned methods for detecting SQL injection based on the Snort engine in the embodiments of the present application, and a specific implementation manner of the method is consistent with the implementation manner and the achieved technical effects described in the embodiments of the present application, and some contents are not repeated. Memory 210 may also include a program/utility 214 having a set (at least one) of program modules 215 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Accordingly, the processor 220 may execute the computer programs described above, as well as the program/utility 214.
Bus 230 may be a local bus representing one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or using any of a variety of bus architectures.
Terminal device 200 can also communicate with one or more external devices 240, such as a keyboard, pointing device, bluetooth device, etc., as well as one or more devices capable of interacting with the terminal device 200, and/or with any device (e.g., router, modem, etc.) that enables the terminal device 200 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 250. Also, terminal device 200 can communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 260. Network adapter 260 may communicate with other modules of terminal device 200 via bus 230. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with terminal device 200, including, but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage platforms, and the like.
Example 4
As shown in fig. 3, this embodiment proposes a computer readable storage medium of a Snort engine-based SQL injection detection method, where an instruction is stored on the computer readable storage medium, and the instruction, when executed by a processor, implements any one of the above-mentioned Snort engine-based SQL injection detection methods. The specific implementation manner of the method is consistent with the implementation manner and the achieved technical effect described in the above embodiments, and some of the details are not repeated.
Fig. 3 shows a program product 300 provided by the present embodiment for implementing the above method, which may employ a portable compact disc read-only memory (CD-ROM) and comprise program code, and may be run on a terminal device, such as a personal computer. However, the program product 300 of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. Program product 300 may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Those of ordinary skill in the art will appreciate that implementing all or part of the above facts and methods may be accomplished by a program to instruct related hardware, the program involved or the program may be stored in a computer readable storage medium, the program when executed comprising the steps of: the corresponding method steps are introduced at this time, and the storage medium may be a ROM/RAM, a magnetic disk, an optical disk, or the like.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (8)

1. The SQL injection detection method based on the Snort engine is characterized by comprising the following steps of:
s1, acquiring suspected SQL injection flow of a server and normal flow of server service, and respectively generating a suspected flow static pcap packet and a normal flow static pcap packet; generating SQL injection malicious traffic and generating a malicious traffic static pcap package by adopting a Burp Suite integration platform;
s2, configuring an initial SQL injection detection rule in the Snort engine; reading a normal flow static pcap packet and a malicious flow static pcap packet by utilizing a Snort engine configured with an initial SQL injection detection rule; performing rule hit on the normal flow static pcap package and the malicious flow static pcap package respectively by utilizing the initial SQL injection detection rule;
the specific process of rule hit in step S2 is as follows:
s21, matching malicious traffic static pcap packets through initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a first matching data set;
s22, finding out an SQL injection detection rule of the non-triggered alarm in the first matched data set, generating a non-alarm data set, obtaining a missing report rate through the non-alarm data set, entering a step S25 if the missing report rate is greater than 0, and entering a step S23 if the missing report rate is 0;
s23, matching the normal flow static pcap pack according to the initial SQL injection detection rules, and sorting all SQL injection detection rules according to the sild field corresponding to each SQL injection detection rule to form a second matched data set;
s24, finding out SQL injection detection rules for triggering alarms in the second matching data set, generating an alarm data set, obtaining false alarm rate through the alarm data set, and entering step S25 if the false alarm rate is greater than 0;
s25, constructing an initial rule modification script according to the SQL injection type, importing an unarmed data set into the initial rule modification script, performing data matching on the unarmed rule, and adding matching factors into the unarmed rule; importing an alarm rule data set into an initial rule modification script, carrying out data matching on the alarm rule, deleting or modifying matching factors in the alarm rule, wherein the matching factors are Content fields in SQL injection detection rules, and the Content fields hit the Content of the pcap package through keywords, and Pcre fields hit the Content of the pcap package through regular expressions;
s3, modifying the initial SQL injection detection rule according to the rule hit result to generate a retest SQL injection detection rule, and reconfiguring in a Snort engine by using the retest SQL injection detection rule;
s4, reading the suspected flow static pcap package by utilizing the Snort engine configured with the retest SQL injection detection rule, performing rule hit on the suspected flow static pcap package by utilizing the retest SQL injection detection rule, and recording corresponding alarm data to finish SQL injection detection.
2. The method for detecting SQL injection based on Snort engine according to claim 1, wherein the generating process of the unqualified dataset in S22 is as follows: checking SQL injection detection rules sid of all triggered alarms by using related commands of the Snort engine network intrusion detection mode, and sorting SQL injection detection rules sid and related rule contents of the rest non-triggered alarms in the first matching data set to form a non-alarm data set; if the data content exists in the non-alarm data set, the non-alarm rule is modified in step S25.
3. The method for detecting SQL injection based on Snort engine according to claim 1, wherein the process of generating the alarm data set in S24 is: and checking the SQL injection detection rules sid of all triggered alarms by using related commands of the network intrusion detection mode of the Snort engine, de-duplicating the SQL injection detection rules sid of all triggered alarms, sorting the SQL injection detection rules sid and related rule contents of all triggered alarms in the second matched dataset to form an alarm dataset, and modifying the alarm rules through step S25 if the alarm dataset has data contents.
4. The method for detecting SQL injection based on Snort engine according to claim 1, wherein the initial rule modification script in S25 is constructed by python, and the construction process is as follows: s251, using re module regular matching, finding Content field Content and Pcre field Content in the initial SQL injection detection rule, and extracting to obtain initial rule Content;
s252, decoding URL content in the encoded static pcap package through a urllib module to obtain decoded content;
s253, obtaining an initial rule modification script according to the initial rule content and the decoded content, importing the unqualified data set into the initial rule modification script, extracting the rule content in the unqualified data set, and adding keywords to the initial rule content according to malicious traffic;
s254, importing the alarm data set into an initial rule modification script, extracting rule contents in the alarm data set, and modifying or deleting keywords of the initial rule contents according to normal flow.
5. The method for detecting SQL injection based on the Snort engine according to claim 1, wherein in S1, a Wireshark network packet capturing tool or a Tcpdump packet capturing tool of a Linux system is used for capturing traffic of a server and generating a corresponding traffic static pcap packet, and the generated traffic static pcap packet is stored in a Home folder of the Linux system.
6. The method for detecting SQL injection based on Snort engine according to claim 1, wherein in step S1, SQL injection malicious traffic is generated through SQLmap plug-in of a Burp Suite integration platform.
7. The method for detecting SQL injection based on Snort engine according to claim 1, wherein in step S2, an initial SQL injection detection rule is configured in the Snort engine, wherein the Snort engine is built in a Linux environment, and a root directory of the SQL injection detection rule file is required to be written in the Snort configuration file in the configuration process.
8. The method for detecting SQL injection based on Snort engine according to claim 1, wherein the Snort engine in step S2 reads the normal traffic static pcap packets and the malicious traffic static pcap packets through the related commands of the network intrusion detection mode.
CN202111131110.8A 2021-09-26 2021-09-26 SQL injection detection method based on Snort engine Active CN113872965B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111131110.8A CN113872965B (en) 2021-09-26 2021-09-26 SQL injection detection method based on Snort engine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111131110.8A CN113872965B (en) 2021-09-26 2021-09-26 SQL injection detection method based on Snort engine

Publications (2)

Publication Number Publication Date
CN113872965A CN113872965A (en) 2021-12-31
CN113872965B true CN113872965B (en) 2023-05-09

Family

ID=78990768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111131110.8A Active CN113872965B (en) 2021-09-26 2021-09-26 SQL injection detection method based on Snort engine

Country Status (1)

Country Link
CN (1) CN113872965B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208682B (en) * 2022-07-26 2023-12-12 上海欣诺通信技术股份有限公司 High-performance network attack feature detection method and device based on snort
CN115277224A (en) * 2022-07-29 2022-11-01 北京天融信网络安全技术有限公司 Method and device for determining application protection rule, storage medium and electronic equipment
CN115484151B (en) * 2022-09-23 2023-11-21 北京安天网络安全技术有限公司 Threat detection method, device, equipment and medium based on composite event processing

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459548A (en) * 2007-12-14 2009-06-17 北京启明星辰信息技术股份有限公司 Script injection attack detection method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102831345B (en) * 2012-07-30 2015-01-28 西北工业大学 Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection
EP3295359B1 (en) * 2015-05-15 2020-08-26 Virsec Systems, Inc. Detection of sql injection attacks
CN111984970B (en) * 2019-05-22 2023-11-07 深信服科技股份有限公司 SQL injection detection method and system, electronic equipment and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459548A (en) * 2007-12-14 2009-06-17 北京启明星辰信息技术股份有限公司 Script injection attack detection method and system

Also Published As

Publication number Publication date
CN113872965A (en) 2021-12-31

Similar Documents

Publication Publication Date Title
CN113872965B (en) SQL injection detection method based on Snort engine
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN110225029B (en) Injection attack detection method, device, server and storage medium
EP3566166B1 (en) Management of security vulnerabilities
KR20170143006A (en) Detection of malicious scripting language code in a network environment
JP2006523427A (en) Attack database structure
CN112134877A (en) Network threat detection method, device, equipment and storage medium
CN113472772B (en) Network attack detection method and device, electronic equipment and storage medium
CN110138731B (en) Network anti-attack method based on big data
WO2019144548A1 (en) Security test method, apparatus, computer device and storage medium
CN111800405A (en) Detection method, detection device and storage medium
JP2016033690A (en) Illegal intrusion detection device, illegal intrusion detection method, illegal intrusion detection program, and recording medium
CN105378745A (en) Disabling and initiating nodes based on security issue
CN113190839A (en) Web attack protection method and system based on SQL injection
KR101768079B1 (en) System and method for improvement invasion detection
CN113411297A (en) Situation awareness defense method and system based on attribute access control
US20220201016A1 (en) Detecting malicious threats via autostart execution point analysis
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
CN115310084A (en) Tamper-proof data protection method and system
CN111611590A (en) Method and device for data security related to application program
CN113067792A (en) XSS attack identification method, device, equipment and medium
CN105260378A (en) Database audit method and device
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN116708033B (en) Terminal security detection method and device, electronic equipment and storage medium
KR101767591B1 (en) System and method for improvement invasion detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant